Details about this were presented in a paper at the USENIX conference a few weeks ago. Join us after the break where we’ve embedded the thirty-minute talk. There’s a lot of interesting stuff in there. The IM-ME can be used to decode the metadata that starts each radio communication. That means you can track who is talking to whom. But for us the most interesting part was starting at about 15:30 when the presenter, [Matt Blaze], talked about directed jamming that can be used to alter law enforcement behavior. A jammer can be set to only jam encrypted communications. This may prompt an officer to switch off encryption, allowing the attackers to listen in on everything being said to or from that radio.

I myself have researched this radio standard for a few years now. I have found many more vulnerabilities than these guys have mentioned.
I won’t share them for the sake of it falling into the wrong hands, but I can say that it’s enough to make me a little queasy.
Not only are there problems with the security, the price is another factor. Many law enforcement agencies have to buy this equipment in order to keep up with surrounding areas. The vocoder itself is very expensive and has a hefty royalty fee.
I have taken it upon myself to address these issues and turn speex into a new digital radio system standard. And Ham’s should at least benefit from the lower cost of my work.

While I agree that official communications should be recorded and subject to review for accountability’s sake, I disagree that they should always be unencrypted. For example, consider a hostage situation in which law enforcement must coordinate without the knowledge of the hostage-takers or other parties in order to take them by surprise. There are times when encrypted communication is necessary for the effective execution of their jobs.

There are some communications so private that they should never be made public. An example might be the name of a rape victim or an abused minor.

There are some communications that need a delay, but only a short delay. Perhaps the oddball hostage situation.

For the overwhelming majority of police radio communication, they need to be transmitted live and in the clear. I can’t tell you the number of times I’ve found out exactly why a helicopter had been circulating the area or what the huge firetruck response was all about. After an accidental chemical release or a terrorist attack I’ve found out exactly what was going on thanks to my scanner. The media has been less than helpful because usually only get a strange diluted version of what happened, after a delay, on the five o’clock news.

Unfortunately this is exactly the reverse of what is happening. Puppycide and SWAT teams and garbage trucks bought with homeland defense pork spending. Super-seekret cross-state radio networks that encrypt even the mutual aid frequencies. Getting the recycling collectors and the dog catcher both on scrambled trunked radio systems. I can’t see any of this crap ending well.

This has received a lot of unwarranted publicity from the chicken little gallery. It’s also what happens when you have “IT” weenies with ZERO real world radio background focusing in on something to make themselves look credible in their industry (IT security).

As someone on another message board suggested, I could write big headlines to the effect of “$.10 cent Home Depot part renders top secret national security million dollar device inoperable!!”…what might this be ? hey, i’ll just drop a screw onto a live circuit board inside say a control panel for an F-22 CDU.

Some of you need to stop “skimming” articles and repeating the hype generated by a rag of CNET’s caliber.

To Old Crows in the defense industry, and others in the radio business, this is no news. Heck there are literally dozens of more PRACTICAL ways to disrupt communications. The time/effort needed to implement this kind of EXPERIMENT, would be tactically unsound in the REAL WORLD (particularly when less complicated vectors to achieve the same goal exist).

Also, you’ll notice the academic work focused on end users not selecting encryption-on. In other words they were transmitting un-coded messages. This is not a hardware issue, but a user issue of the feature being ignored.

All hype, little substance of practical value (to anyone but IT weenies wanting to push buttons of clueless management types and politicians – presumably to give the illusion of elevating their own ‘value add’ to the organization).

As I stated, dozens and dozens of more easier ways to disrupt a radio system.

Read the paper or watch the video, i agree that an army of criminals armed with girltech im-me jammers are not a real threat. but attack behind this using selective jamming of frame only needs 4db of power UNDER base station received power. Not to mention the ability of selective jam comms.
These are pretty clever attacks.

@John P, keeping the knowledge back does far more damage because when the “bad guys” do figure it out they will probably use it to greater effect.
Better to publish what you know anonymously in a way that proves the system is fundamentally broken and let the authorities take appropriate action.

Remember, security through obscurity is no security at all!!

(Sony learned this the hard way, military grade security on the PSP and it could be defeated with a simple buffer overflow from the battery E2PROM)

from what i read, it wasnt a buffer overflow
it was a backdoor for recovering it from a bricked state
if the serial# is 0, it will boot off the memory stick
they simply left out any signed boot file checking on the backdoor

There is a world of difference between knowingly talking on an unencrypted channel and talking on a channel you believe to be secure. The encryption itself hasn’t been broken/cracked. Having users mistakenly believe it is turned on when it isn’t is a Very Bad Thing(tm) but has nothing to do with the IMME attack. The attack is about two things, creating a positional knowledge of nearby radios and selectively jamming only the encrypted traffic so that users are forced to go unencrypted (though they should know this and therefore watch what they say a bit more). Both are very bad.

@JohnConnor

I don’t think you understood the attack. By sniffing the start of the packet, you can determine not only if it is encrypted, but which radio is sending it. So no, it is not a spectrum jam, but a highly targeted and specific jam. Like if you followed someone around in a crowd and only dropped banana peels in front of that specific person or waited to hear the first word of their sentence and if it started with a vowel then you would cough really loudly to drown out the rest.

It sounds like this could be adapted to knock out or even replace specific radio IDs so that a legit user could be completely silenced or impersonated. THAT sounds like a scary scenario!

Are any of you noobs even comprehending the hype in that dubious IT resume padding article ?

Encryption was NOT broken or “hacked”, in any way, shape or form ! The radio user did not switch encryption “on”. LUSER error. It can be configured out by the way, just program the talkgroup as “secure” only”.

Besides, that $15 “toy” was hacked with custom firmware and an add on power amplifier. If I was an adversary, why the hell would I even bother with such troublesome and lengthy procedures when I can just buy a radio off e-bay, and jam the damn control channels at the tower sites ? You’ll really take down the system in that way. Repeat for each site for a wide area (multi-zone) system.

Get off your “IT” weenie-geek momma’s basements, and enter the real world of terrorists using simple but cheap AK-47’s, or gas bombs with a match and a fuse… (NOT complex Arduino controlled timing mechanisms!)… sheesh…

You need to learn how to communicate with civility. I’m certain you have many wonderful things to say, but if you keep saying them in this manner, I fear that you will be banned, and then nobody will be able to learn from your wisdom.

Please take a step back from the situation and re-evaluate your attitude, as it is hurtful to the free exchange of ideas.

Please describe to me the effort/reward ratio of the scenario you present.

There are simpler ways to execute the radio ID spoofing you describe. The least of which is to clone a legit radio and put it on the system (remember the old AMPS days of cellular cloning?).

Newer generation of core software these P25 systems are running (at least with one manufacturer), will be deploying dynamic radio authentication similar to what cellular phones do before being allowed access to the network. This is specific to that one vendor, and is permitted in the P25 specs as a “value added feature”.

This is nothing but a tempest in a teapot. It has zero practical value for any adversary.

Simple tactics are the most effective (a lesson the insurgents in the middle east have taken to heart).

I think a lot of people become angry on the internet when they see something they recognize. For JohnConnor, it’s perhaps trivial to “clone a legit radio,” but for me and people on this website it’s easier to combine an RF poweramp with a kid’s toy. For us that IS the most elegant solution.

Especially if our goal is learning more about the system and not just destroying it, as JohnConnor seems to be expert at. I think JohnConnor is pissed that us younger, more open-minded folks are not taken part in his Man-dance. He probably sees all of our activities as non-productive, materialistic ventures into stupid oblivion, but the world is more fluid now than it used to be and sometimes a random little project like this can stimulate one of us to do valuable, useful things.

Wow, if you want to start a flame war, you should pick a less knowledgeable opponent or at least read up on the topic you’re debating… I have no love for “IT” types but I have even less love for anyone who has “manager” or related in their title. At least IT folks do real work… I myself am neither and never will be, I am a firmware engineer who started out in board level EE and mechE design, cut my teeth on software and has racked up a nice portfolio of high level software projects in C, Java, C#, etc. My current job is all about embedded RF chips just like the CC1110. But I digress.

The attack vector as described in the video details using a $15 piece of equipment coupled with a piece of software allowing an attacker to:
1) completely jam all P25 traffic
2) selectively jam specific types of traffic (encrypted or unencrypted)
3) locate, identify and monitor specific radios within range (using a second triangulation source)
4) potentially impersonate (clone) a specific radio while at the same time knocking transmissions from said radio off the air.

Any of the above is pretty darn scary considering what these radios are supposed to be used for. It is even scarier considering that any of this could be done for less than $1000. Does that mean that every BadPerson(tm) will pick this specific method to cause trouble? No. But then again it’s not your average Joe who has access to anthrax or a nuke either and we still worry about those.

The thing about security is that you have to consider ALL risks and then weigh them based on probability of occurrence. This is why buffer overflows in software are a big deal. Sure they are unlikely and hard to find and a real pain in the a**. But if you were in any company I’ve worked at and decided to ignore them you’d be out the door or demoted to cleaning toilets so fast it would make your head spin. This particular attack looks to be pretty easy, very low cost, high availability and extremely disruptive. So yeah, it is a big deal unless it can be disproven based on technical arguments which you have yet to coherently voice.

No, I work for a large defense systems integrator and Motorola is a partner on some of our ventures.

The IT weenies muscled their way onto “turf” that used to belong to RF guys. Because of the presence of servers, management thinks “oh IT”… to which we say BS!

@Al, you’re proving my point. “IT” people just don’t get RF (radio). If you’re speaking of “conventional” operation, there are even more simpler ways of spoofing.

Come on, what next ? A paper on man-in-the-middle attacks on a microwave back haul ? or what about the publicity hounds on ATM “hacking” ? (and I don’t mean Asynchronous TM)… easy money, no ? well we don’t hear much about such high tech “hacks” – more low tech – dude drags the ATM away with a pick up truck!

As stated earlier ‘tempest-in-a-teapot’. Nothing but academic toilet paper. We’ve all written them in our college days.

The interesting part of this is that they have cracked the P25 protocol.
It could be interesting news for HAM radio operators. I live on the other side of the globe and we have P25 repeaters and people do own motorolas that do it.

It would be sweet to send P25 compatible txt messages to people who own compatible radios.

The problem with IT geeks (even if they might have EE), is, they seem to be preoccupied with minutaie regarding the practicality of concepts.

When I was an engineering manager for another firm, i’d constantly have to “reel” in overzealous software people who would want to expend resources on designing out scenarios that were statistically improbable, and would have prevented a timely product release.

For example, one guy wanted to “seizure proof” a device so epileptics would be able to use it. My response was ‘hey, we don’t have to be ADA compliant!’.

If I were the prof’s adjudicating a grade for this paper, i’d evaluate it for what it is. A mediocre PR stunt. Now, if you’ll excuse me, I’m going to go “hack” the ATM down the street (could use some extra cash). Oh wait, it’s easier to phone in a fake 911 call on the other side of town, crash a pickup truck thru the front door, and haul off the ATM to my garage. Screw all that “hacking” of crypto algorithims and spoofing magnetic strips, blah, blah, blah. Ah yes, that pesky concept of “REAL WORLD” adversaries is intruding.

Wow… Your pride must be incredibly hurt for you to harbor such anger towards “IT geeks”, the fact that a $15 toy and some “IT geeks” are able to circumvent security that had billions of dollars in R&D thrown into it says a lot about the way you “manage” your software engineers. Maybe instead of being so closed minded and telling them to stop “wasting time” trying to make the end product better, you let them do their jobs and you wouldn’t be in this position… But just like every other clueless manager out there, you think your way is the only way and that everyone who works for you knows nothing, newsflash my friend, most of those “overzealous software people” you’re putting down are MUCH smarter than you are, and most of the people you’re putting down on this very website are as well… So please, take your condescending attitude and ignorance out of here, we don’t need douchebags like you here, you’re absolutely useless.

Don’t tell that idiot anything. If he isn’t smart enough to know that many people may have epilepsy and not know it( the reason his programmers wanted to proof it), then he doesn’t deserve his positon. I may not have an ee or a mba, but I atleast know that it’s best to research every senario in this liability-sueing world. Btw, how does someone to down to hacking but suggestd using social engineering in the same breath?

Just as an FYI… Even if you do figure out how to do this with the IM-ME toy you will not be able to hear any traffic over the toy just make the Apco-P25 user switch-off thier encryption so you can listen on your pre-existing scanner. But I asuume most of you got that already.

Speaking of legacy toys (now discontinued): Check out the Ohio Arts Zender (http://tinyurl.com/d2tbw53) still available via EBAY or Amazon. It was a 49 mHz 2-way messaging transceiver with a 500 foot range. It is said to exploit a *still* classified USAF radio encryption technology. Evidently Ohio Arts had/has some employees once associated with such stuff in their R&D dept. They evidently saw no reason why not use such technology sans permission from UNCLE SAM. The reasoning was all they had to do is request that the FCC keep the details sequestered, which they did. The PCB is all SMT electronics and good luck trying to reverse engineer the signals with your spectrum analyzers. Cool toy though.

Other interesting 2-way messaging RF toy technology is the Russian-engineer-inspired CYBIKO. Also discontinued with only a small dedicated following special interests groups. It was a 900 mHz toy. This toy had really promising uses only the amateur-coder-programmer could imagine. Maybe that’s why it got pulled?

Another is Hasbro ChatNow SMS walkie-talkies. Somehow the engineers designed a protocol that just can not be easily tracked with standard scanner, frequency counter, and analyzer tools. Evidently it sets up a control channel (maybe random) and then sends out data to other listening units to set up a messaging channel. Really intriquing design. Also discontinued.

The next one is truly amazing and is NOT discontinued: The TriSquare TSX300 spread spectrum walkie-talkies. (http://www.trisquare.us/tsx300.htm) These things are not really toys but they are relatively cheap. And it appears possibly NO ONE can monitor you with a scanner! You can also do SMS text messaging.